Dissecting TrickBot

Posted on 2018-10-09 by Adam Swanda

After the demise of the Dyreza banking malware, the banking trojan vacuum was quickly filled by the TrickBot malware family. TrickBot is a banking and information stealing trojan which is modular in design and can rapidly expand its functionality by retrieving DLLs from its Command and Control server. This threat is spread most commonly by phishing emails but it also includes network propagation functionality to spread through a victims network by using the Microsoft Windows vulnerability known as EternalRomance. In this blog post, we'll dive into the TrickBot malware, its functionality, modules, and Command and Control communications.

TrickBot

The sample we'll be analyzing in this post is from the campaign we covered in our recent blog Emotet campaign delivers AZORult, IcedID, and TrickBot. Since the TrickBot malware can include many features due to its use of additional modules, we decided to split its analysis into a separate report.

The TrickBot payload analyzed here can be identified by the following hashes:

When executed, TrickBot will first contact the website icanhazip[.]com to retrieve the infected systems public IP address and test Internet connectivity. Next a new directory created is created at the %APPDATA\Roaming\AIMT\ location and a copy of the original payload is placed inside.

The copied payload is executed as a child of the original and execution is then transferred to the child. After TrickBot is running in the context of the newly created process, it will launch several cmd.exe instances and run commands to disable built-in Windows security measures. This is done by first stopping Windows Defender and then deleting it from autostart.

Threat Hunting Tip: If you were to approach detecting TrickBot from an endpoint threat hunting perspective, the use of the commands above, in that order, executed by a newly created child process could be used as an indication of a TrickBot infection.

Windows APIs that TrickBot needs will be loaded dynamically through the use of the LoadLibraryA, LoadLibraryW, and GetProcAddress calls. This is a conventional technique to see in malware. Instead of being able to view all needed functions in the Import Address Table (IAT), API calls are loaded as necessary in an attempt to hide functionality.

At this point, TrickBot will spawn a copy of svchost.exe in a suspended state in order to inject itself into the application. From here on out TrickBot will run primarily within the context of svchost.exe. This process will be used to contact the C&C server and retrieve and load modules.

The main configuration contains a list of Command and Control servers, as well as instructions for which modules to run. The extracted configuration file for this sample is shown below.

From this configuration file we can see that the systeminfo and injectDll modules are set to run automatically. Also, the <gtag> identifies the group ID used for this TrickBot campaign and the same arz1 string will also be used in the HTTP requests sent to the C&C servers.

Persistence

To persist across system reboots and ensure the malware stays running, TrickBot will create a new Scheduled Task to re-run the main payload every 10 minutes.

Command & Control

Once the victim environment has been staged, TrickBot will contact a C&C server to perform a check-in. The server will respond with an encrypted list of additional Command and Control servers and any configuration data needed by the malware.

All HTTP requests to the C&C servers use a URL format of /<group ID>/<client ID>/<command>/. When modules and configuration files are requested, an additional string to identify the component is appended to the URL.

A complete list of all C&C servers for this payload is available in the Indicators of Compromise section at the end of this blog.

TrickBot Modules

TrickBot functionality can be expanded through the use of modules fetched from the Command and Control server. Each module serves a distinct purpose, such as injecting into a web browser, capturing credentials, gathering system information, and more. The modules are stored in a directory named Modules within the path %APPDATA\Roaming\AIMT\ and they are executed by the main TrickBot svchost.exe process. Another interesting note about the TrickBot module is that each one appears to use the same DLL export functions of Control, Release, FreeBuffer, and Start.

If a module requires a configuration file, a new directory will be created inside the Modules folder using the pattern of <module name>_configs. Both the modules themselves and their configuration files are downloaded and stored as AES encrypted files.

Other than the encrypted content, there is not much in the way of hiding the modules' intentions. The file name of each module is labeled after the action it performs. For example, the network collection module is named as networkDll and the dynamic web inject module is named dinj. The names will also include a suffix of either "32" or "64" to indicate whether they were meant for a 32bit or 64bit system.

While not every module was delivered during this analysis session, we've compiled a list of known TrickBot modules for public knowledge.

Module List

Module

Purpose

systeminfo

Collect system information

networkDll

Collect network and system information

injectDll

Perform web browser injection and data theft

wormDll

Propagate TrickBot via SMB

shareDll

Propagate TrickBot via SMB

tabDll

Propagate TrickBot via EternalRomance exploit

importDll

Collect sensitive browser data

mailsearcher

Search file system

outlookDll

Collect Outlook credentials

domainDll

Collect credentials from Domain Controller

The following list contains the file names and hashes of each module and configuration file dropped to disk during this analysis session.

Network Module

Network environment information is collected by aptly named networkDll module. This is done through the use of built-in Windows commands like ipconfig, net, and nltest. The module is rather small in size, coming in at only 19 KB.

A configuration file for this module is also dropped and stored in the directory AIMT\Modules\networkDll32_configs\ with a filename of dpost. This file contains a list of C&C servers that can receive exfiltrated data from a victim. The decrypted content of this file can be seen below.

If the HTTP requests fail to contact the provided servers, an error message of "Dpost server unavailable" will be logged while a successful HTTP POST results in the message "Report successfully sent".

The following commands are used to gather network information and are executed through cmd.exe:

/c ipconfig /all

/c net config workstation

/c net view /all

/c net view /all /domain

/c nltest /domain_trusts

/c nltest /domain_trusts /all_trusts

This module will also attempt to gather information from LDAP, as well as some system information including a list of all processes, available memory, operating system information, OS installation date, last boot time, and more. After collection, the data is sent back to the C&C server using three separate HTTP POST requests with customized Content-Disposition headers to identify the content of the data.

Content-Disposition: form-data; name="proclist"

Content-Disposition: form-data; name="sysinfo"

Content-Type: multipart/form-data; boundary=Arasfjasu7

Browser Injection

TrickBots' primary functionality is the ability to capture credentials for financial institutions and other websites directly from a victim's browser. This is done through the use of the injectDll module and its two configuration files dinj and sinj. The configuration files define the targeted websites and C&C servers that will receive the stolen data.

The DLL is responsible for enumerating all running processes to identify running web browsers. If "chrome.exe", "iexplore.exe", "edge.exe", or "firefox.exe" is found, TrickBot will inject code into the discovered process using the VirtualAlloc + WriteProcessMemory + CreateRemoteThread method.

Once running within the browser, TrickBot hooks various API calls in order to intercept HTTP traffic. The hooked APIs differ depending on which browser it is running within.

In addition to web injects, this module is also responsible for collecting passwords, history, and credit card data stored in the target web browsers. The data is sent back to the C&C servers listed in the dpost configuration file.

Much like the network module, if injectDll fails to perform various actions an error message will be logged. This occurs when the module fails to grab passwords, billing information, credit card data, and autofill information from a browser, or when it fails to send stolen information back to the DPost servers.

Static Web Injections

The complete static injection config contains a total of 544 target URLs. A very small excerpt is shown below.

The dynamic web injects configuration data is saved to the AIMT\Modules\injectDll32_configs\ directory using the filename dinj. This file acts as another configuration for the injectDll module. Below is an excerpt of the decoded data.

Conclusion

InQuest provides protection for its customers against the TrickBot malware family and several of its modules. Customers can use the following signatures to identify activity associated with this threat in their environment.

TrickBot Signatures

MC_TrickBot_Network_Module

MC_TrickBot_Injection_Config

MC_TrickBot_Server_Config

MC_TrickBot_Injection_Module

MC_Trickbot_Worm_Module

MC_TrickBot_Shares_Module

MC_TrickBot_Tabs_Module

MC_TrickBot_Spreader

Indicators of Compromise

To quickly extract the indicators from this blog, check out our open source Python project iocextract. It can easily handle extracting defanged indicators like the ones below.